38 matches found
Missing balance checks in _reserveTokenSpecified()
Lines of code Vulnerability details Impact By calling depositGivenInputAmount and withdrawGivenOutputAmount which both call 'reserveTokenSpecified', users may potentially create scenarios where the balance ratio allowed for the EvolvedProtocol.sol deployment is violated. POC depositGivenInputAmou...
Mint/Burn amount during LP addition/removal changes with time
Lines of code Vulnerability details Impact When a user adds LP to the pool, they get LP tokens which they can later use to redeem their positions. The issue is that since the utility and the curve parameters change with time, so does the value of the LP tokens. Say a user wants to deposit 1 ETH t...
ARBTriCryptoOracle is prone to manipulation
Lines of code Vulnerability details Impact ARBTriCryptoOracle is used to determine price of LP token of tricrypto USDT, WBTC, WETH on arbitrum. This pool is susceptible to re-entrancy due to bug in vyper 0.2.15. and hence getvirtualprice can be manipulated which is used for pricing LP tokens. Pro...
Inflation attack in well
Lines of code Vulnerability details Impact The Well.sol contract is vulnerable to a first depositor attack allowing someone to directly send funds to the pool in order to obfuscate the totalSupply and steal funds from the subsequent depositor. Proof of Concept Below is how the attack can be carri...
Inconsistent check for LP balance in AMO
Lines of code Vulnerability details Inconsistent check for LP balance in AMO While pulling LP tokens from the CVXStaker contract, the AMO queries the current available balance using the staked balance, which is inconsistent with the implementation of the withdraw function. Impact Curve LP tokens...
All the lp tokens will be stuck in the AMO2 contract if CVXStaker.withdrawAllAndUnwrap is called with sendToOperator flag
Lines of code Vulnerability details Impact Loss all the stEth and xEth lp tokens. Proof of Concept The CVXStaker.withdrawAllAndUnwrap can be called by the admin. And if the sendToOperator param is true, all the lp tokens of the CVXStaker contract include lp tokens staked in the CVX and left in th...
AMO2 doesn't add the lp balance of the CVXStaker to the withdrawable token amount
Lines of code Vulnerability details Impact The lp tokens held by CVXStaker can't be able to used or withdrew by AMO2. Although the jam is not permanent and the owner of the CVXStaker can use recoverToken function to withdraw them, it will cause the functions about removing liquidity break down in...
MuteBond.sol: price discount can be manipulated which undermines its purpose of reflecting demand
Lines of code Vulnerability details Impact The bondPrice in the MuteBond contract increases linearly during the epochDuration from startPrice in the beginning to maxPrice in the end. The bondPrice determines how many MUTE tokens a user receives for bonding his LP tokens. The higher the bondPrice...
SfrxEth slippage and fee stealing
Lines of code Vulnerability details Impact The SfrxEth derivative contract calculates the maximum slippage for buying SfrxEth from curve pool by using the current price in the pool at runtime, without considering the price at which the user submitted the transaction to the mempool: uint256 minOut...
Newly staked LP tokens' end time can overwrite previously staked LP tokens' end time
Lines of code Vulnerability details Impact When the following NeoTokyoStaker.stakeLP function is called for the first time to stake some LP tokens, stakerLPPositionmsg.sender.timelockEndTime = block.timestamp + timelockDuration is executed. Then, calling this function for a second time to stake...
Ability to receive LP rewards without having any LP staked
Lines of code Vulnerability details Impact The impact of this is high as a user is able to first stake LP tokens, then craftily withdraw them in specific increments without any change to their staking rewards. The user is able to get to a state in which they have 0 LP tokens staked, but have 0 LP...
Flawed calculation in getPoolReward leads to permanent loss of rewards
Lines of code Vulnerability details In NeoTokyoStaker.getPoolReward, a users reward is calculated as follows: 1388: uint256 share = points PRECISION / pool.totalPoints totalReward; 1390: share /= PRECISION; points represents the users total points in the pool over a specific potentially long time...
A malicious early user/attacker can manipulate the share price to take an unfair share of future users' deposits
Lines of code Vulnerability details Impact A malicious early user/attacker can manipulate the share price to take an unfair share of future users' deposits. The first minter can manipulate the supply of LP tokens and baseToken-fractional ratio, hindering small liquidity providers from interacting...
Early user can break the minting of LP Tokens
Lines of code Vulnerability details Impact The attack vector is the same as TOB-YEARN-003, where users may not receive liquidity tokens in exchange for their baseTokenAmount and fractionalTokenAmount deposited if the total baseTokenAmount has been manipulated through a large “donation”. In the...
Aggregated reserve amounts should be used instead of the first valid tick liquidity
Lines of code Vulnerability details Impact Liquidity can be biased on a specific side quote vs base and it is even possible a liquidity provider gets more LP tokens. Proof of Concept According to the PDF document provided, the number of LP tokens newSupply is calculated using the Table 1 as below...
Medium: Giant pools are prone to user griefing, preventing their holdings from being staked.
Lines of code Vulnerability details Description batchRotateLPTokens in GiantMevAndFeesPool allows any user to rotate LP tokens of stakingFundsVaults around. function batchRotateLPTokens address calldata stakingFundsVaults, LPToken calldata oldLPTokens, LPToken calldata newLPTokens, uint256 callda...
Med: withdrawDETH is not functional for array lengths greater than one.
Lines of code Vulnerability details Description The withdrawDETH function is used in GiantSavETHVaultPool to burn user's LP tokens and grant them dETH. It loops over all input vaults and all input LPTokens, and for each one calls lpTokenETH.burnmsg.sender, amount; Before that, it uses...
EOAs and system contracts can be blocked from some actions by continuously transferring them zero LP tokens
Lines of code Vulnerability details Impact LPToken contains the map lastInteractedTimestamp which maps addresses to timestamps and is updated for from and to addresses after a token transfer. Many operations will check the last interaction time of an address and revert if it's too recent to comba...
Users of StakingFundsVault can never redeem their LP token once staking has started
Lines of code Vulnerability details The burnLPToken of a Fees & MEV vault allow users to burn LP tokens in exchange of ETH. Quoting the documentation Every user has a right to leave the LSD network at anytime. A depositor/staker can simply sell their LP tokens to someone else or burn to redeem ET...
Users can block other users from redeeming their ETH in Vaults
Lines of code Vulnerability details The burnLPToken of a protected vault allow users to burn LP tokens in exchange of ETH or dETH. In the case of ETH, ie when the BLS key has not had its derivatives minted yet, the function checks the liquidity is not fresh by checking...